The BPDU Guard feature must be enabled on a port that should never receive a BPDU from its connected device—for example, a workstation, server, or printer. End devices are not supposed to generate BPDUs because, in a normal network environment, BPDU messages are exchanged only by network switches.
If BPDU Guard is configured globally, it affects only operational spanning tree edge ports. In a valid configuration, LAN edge interfaces do not receive BPDUs. A BPDU that is received by an edge LAN interface signals an invalid configuration, such as the connection of an unauthorized switch. BPDU Guard, when enabled globally, shuts down any spanning tree edge ports that receive a BPDU and generates an err-disable alert.
BPDU Guard provides a secure response to invalid configurations because an administrator must manually put the LAN interface back in service after an invalid configuration.
BPDU Filter
BPDU Filter prevents the switch from sending or even receiving BPDUs on specified ports.
When configured globally, BPDU Filtering applies to all operational spanning tree edge ports. Ports should connect to hosts only, which typically drop BPDUs. If an operational spanning tree edge port receives a BPDU, it immediately returns to a normal spanning tree port type and moves through the regular transitions. In that case, BPDU Filtering is disabled on this port, and the spanning tree resumes sending BPDUs on this port.
Note
Use care when configuring BPDU Filtering per interface. Explicitly configuring BPDU Filtering on a port that is not connected to a host can result in bridging loops because the port will ignore any BPDU that it receives and go to forwarding.
Leave a Reply